Is there any assertion available to verify and decrypt incoming WS Secure SOAP message?
Once a SOAP service is published through the Policy Manager, the SOAP based WS-Security/WS-Secure assertions can be used to validate portions of the message payload. The assertion to validate encryption is the Require Encrypted Element Assertion which can be found under the same section name in the documentation or for WS-Secure conversation then reviewing the section Require WS-Secure Conversation Assertion.
I hope this helps start you forward. Please let us know if this helps.
Director, CA Support
Could you please provide an example policy how to use it on incoming WS-Secure message?
Do you have a sanitized message that I can view to make sure I provide the right information?
Could you please provide me an email Id where I can send the message. Don't want to put it on public forum. My email Id is firstname.lastname@example.org
Have sent the message at email@example.com
For some reason which I will look into, the WCF component of the online documentation did not include the components that use to exist in the shipped PDF back in 8.2. I've attached that Layer 7 Policy Manager User Manual document plus several sample policies to help with the various roles that the gateway can act in for Secure Conversation. In the user manual look at the "How to Integrate the Gateway with WCF"
In this scenario, the gateway sits in the middle of the client and the end service. The secure conversation session is established for the gateway and the endpoint service, but the session is also shared by the client and the gateway. Think of it as a "legitimized Man-In-The-Middle attack".
In this scenario, the gateway acts as WCF Client, which establishes a secure conversation with the WCF service and then sends the service/business request to the WCF service.
In this scenario, the gateway acts as WCF Service, which establishes a secure conversation with a WCF client and handle the client's service request.
Not sure how much above information will be useful in the issue which I am facing.
We are receiving a WS Secure SOAP message from other party. The message is signed (using their private key) and encrypted (using our public certificate). We are not sure how we can use the assertions to first decrypt (using our private key) and then verify (using their public certificate). Please provide a sample policy, if available.
The confusion was with the wording as you are looking for WS-Security Encryption and Signature not WS SecureConversation. We have a video in the community called "Encryption and signing of messages - basic concepts.mp4" which walks through enforcing encryption and signing along with the policies, WSDLs, SOAPUI projects and such in the "Encryption and signing of messages - documents.zip" file in the community.
Thanks for the documents. I went through those, however issue is still unresolved. We are getting a WSS message which is compliant with security policy similar to given at :
Not getting way to verify username token and signature and then decrypt the body. I have also raised a support case#00494616, where I have uploaded the security policy file and incoming WSS message. You may refer that too.
From the work done through the case, I wanted to share a generic policy workflow including sample private key using our ACMEWarehouse sample request. I have attached 4 attachments for creating the payload in one service, consuming it another, the WSDL used, and the private key. To make this workflow work, you will need to publish 2 services using the WSDL provided with the URI /create and /consume (Ensure on WSDL tab that all operations accepted checked and that Get HTTP Method is set as default is just post), create a user in the internal identity provider called testuser with the password testpass, and import the corresponding policies into each service. Send a get to the create service and take the raw response and put it into a post to the consume service. The output should have the signature validated, the body decrypted, and the soap header is removed.
Hi stephen_huges i am to run your policy but i got error can you will please help me to resolve this issue.
Hi arfin shaikh,
At this stage, I suggest a new case be raised with CA support so we can specifically look into your case
It looks like consuming policy only decrypts the message but does not verify the signature. Could you please provide an example in which the signature is also verified?
To force a signature validation, just add a "Require Signed Element" assertion above the "Require Encrypted Element" assertion in the consume policy.